Fix auth session persistence with HttpOnly cookies and CSRF

doc/operations-and-configuration.md

@@ -45,7 +45,7 @@ docker compose logs -f
 ## Authentication Model
 
 - Legacy shared build-time frontend token behavior was removed.
-- API now uses server-issued per-user bearer sessions.
+- API now uses server-issued sessions that are stored in HttpOnly cookies (`dcm_session`) with a separate CSRF cookie (`dcm_csrf`).
 - Bootstrap users are provisioned from environment:
   - `AUTH_BOOTSTRAP_ADMIN_USERNAME`
   - `AUTH_BOOTSTRAP_ADMIN_PASSWORD`
@@ -56,7 +56,7 @@ docker compose logs -f
   - `AUTH_LOGIN_FAILURE_WINDOW_SECONDS`
   - `AUTH_LOGIN_LOCKOUT_BASE_SECONDS`
   - `AUTH_LOGIN_LOCKOUT_MAX_SECONDS`
-- Frontend signs in through `/api/v1/auth/login` and keeps issued session token only in active runtime memory.
+  - Frontend signs in through `/api/v1/auth/login` and relies on browser session persistence for valid cookie-backed sessions.
 
 ## DEV And LIVE Configuration Matrix
 
@@ -98,7 +98,7 @@ Recommended LIVE pattern:
 2. Keep container published ports bound to localhost or internal network.
 3. Set `PUBLIC_BASE_URL` and `VITE_API_BASE` to final HTTPS URLs.
 4. Set `CORS_ORIGINS` to exact HTTPS frontend origins.
-5. Credentialed CORS is intentionally disabled in application code for bearer-header auth.
+5. Credentialed CORS is enabled and constrained for cookie-based sessions with strict origin allowlists.
 
 ## Security Controls
 
@@ -119,8 +119,7 @@ Recommended LIVE pattern:
 ## Frontend Runtime
 
 - Frontend no longer consumes `VITE_API_TOKEN`.
-- Session tokens are not persisted to browser storage.
-- Users must sign in again after full page reload, opening a new tab, or browser restart.
+- Session authentication is cookie-based; browser reloads and new tabs can reuse an active session until it expires or is revoked.
 - Protected media and file download flows still use authenticated fetch plus blob/object URL handling.
 
 ## Validation Checklist